Law firm cyber breaches could result in huge thefts and insider trading

Law firms are at risk of data breaches and often have inadequate cyber security.Confidential documents sent in unencrypted emails are at risk of being stolen.An estimated £85 million was stolen from firms over 18 months.

LONDON – Confidential information is at risk of being stolen from law firms and being used for insider trading or sold to third parties, according to legal experts.

Information held by law firms is commercially sensitive and most communication is done via email, including sending and receiving privileged documents, making firms “particularly vulnerable” to hackers, says Founder of DigitalLawUK Peter Wright.

According to Wright, firms’ email systems are “frequently unencrypted end to end, and sometimes the servers themselves are unencrypted.” If confidential information is illicitly obtained, particularly that relating to business deals and mergers, it could be used for insider trading or be sold to a third party.

In 2015, PwC’s annual law firm survey reported that 62% of law firms had been the victim of a cyber attack in the past year, while the Information Commissioner’s Office reported that the number of data breaches in the legal sector had increased by almost a third between 2015 and 2016. However, Legal Week’s 2013 Benchmark survey showed only 35% of firms had a response plan for attacks.

A key problem, says Wright, is the “haphazard development” of firms’ IT systems, which often have “inherent problems” and lack strategic security plans. Firms also often worry, he says, that clients, who “they are beholden to,” will dislike like less convenient encrypted solutions.

In 2016, isurance company QBE estimated that hackers had stolen £85 million from British law firms over 18 months, after learning they tend to make bank transfers on Fridays and posing as lawyers or clients. This has been “a real problem for the part of the profession in real estate,” says Wright, although firms are wising up to the problem.

Illegally obtaining confidential information is less common than “by hook or by crook” fraud, in which attackers are simply looking to steal money, says Wright. This is because a successful information breach would need to be done in a “very targeted, skilled way, by people who knew what they were doing, what they wanted to steal and the value of the documents once they have them,” says Wright.

But, “of course,” he says, “it does happen.”

Highlighting the potential scale of the threat, Wright points to the Panama Papers data breach, in which 11.5 million documents were leaked from law firm Mossack Fonseca. This sort of breach, he says, is likely to be perpetrated by an insider – although founding partner Ramon Fonseca last year denied the Panama Papers was an “inside job.”

Although documents in the Panama Papers leak dated back to the 1970s, under UK data protection laws firms are generally permitted only keep personal data for up to six years. However, it is possible for data to remain buried in a system even after someone thinks they have deleted it – and even if only six years-worth of data is accessible, “the risk potential is massive,” says Wright.